It happens all the time. An organization has a privacy incident or data breach. The news stories proliferate. Cries of “shame on you” reverberate across the Internet. A number of organizations have an incident response plan, but they often don’t have much of a plan for PR. Certain incidents can take on a life of their own in the media, like a sudden tornado that swoops in and leaves devastation in its path.

Melanie Thomas is a PR expert who focuses on privacy and security incidents. Her firm, Inform, seeks to help clients not only with post-incident PR, but also pre-incident PR preparedness. Melanie is an evangelist for PR preparedness before an incident occurs. Melanie has more than 20 years of PR experience working with a wide array of types of PR and for many of the world’s largest companies. Her firm has been focusing heavily on privacy and security PR.

At many privacy/security conferences I’ve attended, the topic of privacy/security incidents often comes up, but little time is spent discussing PR, other than the common refrain that post-incident PR is a very big challenge and often could have been handled much better.

I conducted this brief interview with Melanie because I think her views on privacy/security PR are enlightening and helpful.

Solove: What are the biggest mistake companies make in their communications efforts following a data breach?

Thomas:I think the biggest mistake companies make is simply not being prepared. People falsely assume that they’re prepared because they ran a drill four years ago. They also assume they’re insulated from a crisis like a data breach because they have a solid IT team. Worse still, they think they can figure it out at the time a crisis hits. That’s like playing roulette. The facts are these:

Crises take many forms, many of which you probably never thought about. Are you prepared for: data breach, cyber attack, third-party breaches, employee sabotage, employee error (the most common), supply chain disruption, weak earnings, natural disaster, terrorist attack, IP theft, disappointing clinical trials, disparaging social media chatter, lawsuit, employee layoffs, changing government regulations, and even employee and C-suite antics? You need to prepare for every conceivable situation. No matter how distant it seems.

A crisis WILL occur when it is most inconvenient. Your attorney is on vacation, or it’s Thanksgiving, or your CEO is scheduled to speak at a conference – or worse, on CNBC.

Crisis planning after a crisis occurs will lead to errors due to inaccurate information, panic, and chain of command confusion. People leave their positions, contact numbers change, regulations change, your spokesperson may prove uneasy in the spotlight. Don’t try to lead from behind.

Ask yourself: when is the best time to buy flood insurance—before or after the flood? Having insurance before you need it ensures you’re protected and you’ve thoughtfully considered your needs and best response. The same holds true for crisis planning.

Are there any other very big mistakes you see?

Thomas: One of the most unnecessary mistakes companies make is to expect their in-house team to manage a crisis situation. Your in-house team is critical to the daily functioning of your company. But don’t expect them to be masters of crisis, or specifically of data breach. The scope of their responsibilities is too great for them to be expected to know the evolving regulatory field governing data privacy and HIPAA, and be capable of adequate crisis response following a breach. Thorough crisis response requires professionals who spend their time following the evolution of the regulatory field, technology development and best practices.

Another major mistake I see is that companies either respond too quickly to a crisis, or too late. Timing is critical in crisis response. If you come out with comment too soon, you may not know the full extent of the damage, forcing you to revise your statement. Too late and it seems you are either avoiding responsibility, or insensitive to your customers’ plight.

Can PR really save a company when the breach is particularly prominent and has some ugly facts? Isn’t the media coverage just going to be really bad no matter what a company’s message is?

Thomas: Public relations can significantly mitigate damage in a crisis situation. A poor PR response can amplify the situation and cause additional damage to a company in a crisis situation. That does not mean you should EVER bury your head in the proverbial sand. Always take thoughtful action.

Consider the Target breach last fall: the PR response to what has become an all-to-common data breach situation made a bad situation a devastating one. The company went out too early with an assessment before a thorough understanding of the damage had been made. They miscalculated the number of customers affected; then they blamed a third-party; and then they revised upward the number of affected customers. They appeared unorganized and insensitive.

Give your team adequate time to conduct a thorough forensics assessment. In the meantime, have your CEO provide a holding statement that earnestly expresses regret and a commitment to remedy the situation. Make sure, however, that your spokesperson is media trained. He or she will need it.

Your firm has focused on the data privacy/security space. Are there special PR considerations here? How is this different from general PR?

Thomas: Data privacy and cybersecurity require a deep understanding of the industry sector, regulatory field, and breach remediation. Good PR about an incident depends upon working smoothly with privacy and security officials. PR must be able to jump right in and understand the types of concerns affected individuals will have, the types of questions the media will ask, and the way that various players from regulators to media to advocates to thought leaders will react. PR must have a deep knowledge of what went right and wrong in the PR about similar types of incidents in the past.

PR is also critical in brand recovery following a breach or other crisis. Corporate social responsibility, media road shows, op-eds and letters to the editors, or community relations’ boards can help repair brand damage. So, in my opinion, you really want to choose a highly-experienced, mid-sized generalist firm with interest and experience in data privacy and cybersecurity, a crisis preparedness training program, and crisis response capabilities -- a PR firm that can act as an extension of your in-house team. Look for one that’s focused on you, responsive, and worth the billable hour. You’ll know if it's the right firm if you see people from the firm at industry events learning alongside your privacy team.

What types of things should a company have to ensure it is handling PR appropriately?

Thomas: For effective PR, companies should have:

A Crisis Communications Plan – You should have a robust plan that considers your company’s vulnerabilities and a response scenario for each. Your plan should also include crisis captains, precise messaging and media training for every crisis scenario, a coordinated media outreach plan, a media war room and staff, and a media monitoring strategy.

A Crisis Communications Team – Identify all people who will be involved in the PR during an incident and their respective roles and who will be making statements to the media

Advice of Former Journalists – The advice of former journalists is essential, as former journalists understand how the media craft stories, and they bring relationships with existing news media

Routine Assessments – Ensure your communications plan is effective and your team is prepared; check regulatory and industry updates because federal and state regulations change frequently. Stay abreast of how others are handling PR for incidents and learn from their successes and failures

Training – Hold quarterly training to ensure that your team is prepared and that your plan is effective. Insist on continuing education for your PR team. Industry practices change, so too should your team’s practices.

Daniel J. Solove is the John Marshall Harlan Research Professor of Law at George Washington University Law School, the founder of TeachPrivacy, a privacy/data security training company, and a Senior Policy Advisor at Hogan Lovells. He is a Reporter on the American Law Institute’s Restatement Third, Information Privacy Principles. He is the author of 9 books includingUnderstanding Privacy and more than 50 articles. Follow Professor Solove on Twitter @DanielSolove.

The views here are the personal views of Professor Solove and not those of any organization with which he is affiliated.